(thanks
to Bruce P. Burrell and Tarkan Yetiser for their suggestions, corrections
and constructive comments)

Part 1 - Basics

Please
read this warning before going
any further. Also, check
out the minimal knowledge
I expect you have.You'll need a disk editor and a bootable disk.
I suggest you use Norton Disk Editor, a nifty program included
in Norton
Utilities.

The goal

This
document is not intended to be a comprehensive reference about low
level disk structures; it does not even attempt to cover all common
scenarios. See it as a extremely small piece of knowledge that could
at best save your a**, and at worst give you a primer in logical
data recovery.

The Master Boot Record

The Master
Boot Record (MBR) is 99.999% of the time located on the first physical
sector of a hard disk. It contains two functionally different parts

some executable
code

the partition
table

The executable
code is loaded into RAM at boot time and, guess what, executed.
Its role is to determine which partition is the bootable one to
load and execute its boot sector. That sector then usually loads
the operating system. One interesting thing to know is that the
boot sector is, 99.999% of the time, the first sector a partition.
Hint : a partition begins by a boot sector and ends before another
boot sector (either a boot sector or another partition table actually).
The code part of the MBR is the part that is refreshed when FDISK
/MBR is used. Please note that using FDISK /MBR blindly might be
a risky endeavour in that it can do more harm than good. For example,
some hard drives need to use a drive overlay software, such as OnTrack
Disk Manager, to be able to handle large drives. On such drives,
the loader code in the MBR is not the "standard" code FDISK /MBR
puts there. In such cases, you would be destroying the OnTrack loader
code, and your drive will not be accessible afterwards. In addition,
the partition table information is not the same as that on a hard
drive that does not have disk overlay software.
The partition table itself is located at the offset 1BEh of the
first sector of the hard disk. There are four 16-bytes entries in
the table, each of them being a placeholder for the description
of a partition on the hard disk. We have this

Master Boot Record Structure

Offset

Nature

size

+00h

Executable code

may vary

+1BEh

1st partition table entry

16 bytes

+1CEh

2nd partition table entry

16 bytes

+1DEh

3rd partition table entry

16 bytes

+1EEh

4th partition table entry

16 bytes

+1FEh

Executable marker 55h AAh

2 bytes

The Partition Table

At
this point, it should be obvious that, if a partition table entry
is only 16-bytes long, you don't need a PhD to fix it. Especially
if you know that it is structured like this

Partition Table Entry Structure

Offset

Nature

Size

+OOh

Partition State
00h = non active
80h = Boot Partition

1 byte

+01h

Begin of partition : Head

1 byte

+02h

Begin of partition : Cylinder - Sector

1 word

+04h

Type of partition (see list)

1 byte

+05h

End of partition : Head

1 byte

+06h

End of partition : Cylinder - Sector

1 word

+08h

Number of sectors between the MBR
and the 1st sector of the partition

4 bytes

+0Ch

Number of sectors in the partition

4 bytes

The first hurdle

There
is only one tricky part in this data structure : the Cylinder -
Sector encoding : if you look at the word as a series of bits, we
have

Cylinder - Sector encoding

15

14

13

12

11

10

9

8

7

6

5

4

3

2

1

0

Cylinder bits 7 to 0

Cyl bits 9 & 8

Sector
bit 5 to 0

One Example : the value 957Fh represents

15

14

13

12

11

10

9

8

7

6

5

4

3

2

1

0

95h

7Fh

1

0

0

1

0

1

0

1

0

1

1

1

1

1

1

1

Cylinder - bits 7 to 0

9 & 8

Sector - bit 5 to 0

0110010101 = Cylinder 405

111111 = Sector 63

How it looks when everything is OK

Now,
let's have a look at a typical working configuration as you'd see
it with a disk editor:

As seen on the disk

State

Begin Head

Begin Sect and Cyl

Type

End Head

End Sect and Cyl

Relative Sect

Number of Sect

80h

01h

0001h

06h

3Fh

957Fh

0000003Fh

0018FA41h

00h

00h

9641h

05h

3Fh

90BFh

0018FA80h

000F7140h

And here is a more meaningful interpretation of the
same data :

"Translated"

State

Begin Head

Begin Cyl

Begin Sect

Type

End Head

End Cyl

End Sect

Relative Sect

Number of Sect

Bootable

1

0

1

BigDos

63

405

63

63

1636929

Not Bootable

0

406

1

Extended

63

656

63

1636992

1012032

Note
the types of the partition : the first partition is a "BIGDOS" partition,
the second partition is an "EXTENDED" one. What does that mean ?
Well, a "BIGDOS" partition is simply a partition bigger than 32M
: at one point DOS could not handle partitions bigger than 32M and
when support was introduced, there had to be a way to identify those
"huge" newcomers... In practice, you won't have to worry about the
older types.

Second Hurdle

The
notion of extended partition is actually the second obstacle on
our path to recovery. You have noticed that the partition table
of the MBR holds at most 4 partitions entries. That is clearly not
enough to handle all possibilities. Just as BIGDOS partitions were
introduced to overcome the 32M barrier, EXTENDED partitions were
introduced to allow more than four partitions. How does that work
? Well, recursively (don't we all like that word ? ;-)). An EXTENDED
partition points to an area of the disk that is actually a virtual
disk by itself. And what do we usually find in the first sector
of a disk ? That's right : a sector containing a partition table
! Have a look at what we find at Cylinder 406, Head 0, Sector 1

A partition within a partition

State

Begin Head

Begin Cyl

Begin Sect

Type

End Head

End Cyl

End Sect

Relative Sect

Number of Sect

Not Bootable

1

406

1

BigDos

63

656

63

63

1011969

The
Extended Partition contains a classical BIGDOS partition, beginning
at the next Head on sector 1, offset by 63 sectors from the Extended
partition and using all but 63 sectors of the available space...
Schematically, we have

Physical
Disk

BigDos
Partition

Extended
Partition

BigDos
Partition

Of course, this
Russian Doll structure it can get much worse than this but, it may
also be simpler : when up to four "normal" partitions have been
defined, for example.

Well, ponder this information for a while. We'll soon be back
with the second part of this field
guide.